03 -o3 -oD 



UTILITY 

p^ent application 
HStransmittal 

S netv nonprovisional applications under 37 CFR 1 53(b)) 



Attorney Docket No. 



PTO/SB/05 MODIFIED BYABTCOS 
I 1 F* 

Total Pages 26 0- 



First Named Inventor or Application Identifier 



William A. Aiello 



Express Mail Label No. 



EL354902823US 



APPLICATION ELEMENTS 

« MPEP chapter 600 concerning utility patent application contents. 



Assistant Commissioner for Patents 

Box Patent Application 

Washington, D.C. 20231 



Fee Transmittal Form 

(submit an original, and a duplicate for fee processing) 

Specification [Total Pages21 ] 

(preferred arrangement set forth below) 

Descriptive title of invention 

Cross References to Related Applications 

Statement Regarding Fed sponsored R&D 

Reference to Microfiche Appendix 

Background of the Invention 

Brief Summary of the Invention 

Brief Description of the Drawings(if filed) 

Detailed Description 

Claim(s) 

Abstract of the Disclosure 

|3 Drawing(s)(35 use 113) [Total Sheets 3 ] 
Oath or Declaration [Total Pages ] 

a. □ Newly executed (original or copy) 

b. □ Copy from a prior application^ cfr 1 63(d» 

(for continuation/divisional with Box 15 completed) 
[Note Box 15 below] 
\ i. □ DELETION OF INVENTOR(S) 

Signed statement attached deleting inventor(s) 
named in the prior application, see 37 CFR 
163(d)(2) and 1.33(b) 



□ Microfiche Computer Program (Appendix) 

□ Nucleotide and/or Amino Acid Sequence Submission 
(if applicable, all necessary) 

a. □ Computer Readable Copy 

b. □ Paper Copy(identical to computer copy) 

C. Q Statement verifying identity of above copies 



ACCOMPANYING APPLICATION PARTS 

7. □ Assignment Papers(cover sheet & document(s)) 

8. □ 37 CFR 3.73(b)Statement □ Power of Attorney 

9. □ English Translation Document (if applicable) 

10. □ Information Disclosure □ Copies of IDS 

Statement(IDS)/PTO-1449 Citations 

11. □ Preliminary Amendment 

12. £3 Return Receipt Postcard (MPEP 503) 

(Should be specifically itemized) 

13. □ Certified Copy of Priority Document(s) 

(if foreign priority is claimed) 

14. □ Other: 



Hp. If a CONTINUING APPLICATION, check appropriate box and supply the requisite information below and in a preliminary amendment: 

f3 Continuation □ Divisional □ Continuation-in-part (CIP) of prior Application No: 

?Prior application information: Examiner: Group/Art Unit: 

Br CONTINUATION or DIVISIONAL APPS only: The entire disclosure of the prior application, from which an oath or declaration is supplied under 
IBbx 4b, is considered a part of the disclosure of the accompanying continuation or divisional application and is hereby incorporated by 
inference. The incorporation can only be relied upon when a portion has been inadvertently omitted from the submitted application parts. 



16. CORRESPONDENCE ADDRESS 



□ Customer Number or Bar Code Label 



(Insert Customer No. or Attach barcode label here) 



Correspondence address ibe 



Samuel H. Dworetsky 



AT&T CORP. P.O. Box 4110 



| STATE 



| New Jersey 



Middletown 



07748-4110 



United States of America 



FAX 



732-368-6932 



17. SIGNATURE OF APPLICANT, ATTORNEY, OR AGENT REQUIRED 



| Reg. # | 42787 



Benjamin S. Lee 




TELEPHONE 973-360,-8117 



| DATE 



"Express Mail" Mailing Label Number EL354902823US 



Date of Deposit 03/01/2000 



I hereby certify that this utility patent application is being deposited with the United States Postal Service "Express Mail Post Office to Addressee" service 
under 37 CFR 1.10 on the date indicated above and is addressed to the Assistant Commissioner for Patents, Washington D.C. , 20231 

Antoinette Dozier 



le of Person Mailing Paper) 



(Signature of Person Mailing Paper) 



Docket No. 1999-0053 



UNITED STATES PATENT APPLICATION 



METHOD AND APPARATUS FOR ENHANCED SECURITY 
IN A BROADBAND TELEPHONY NETWORK 



INVENTORS: 
William A. Aiello 
Steven Michael Bellovin 
Charles Robert Kalmanek, Jr. 
William Todd Marshall 
Aviel D. Rubin 



Docket No. 1999-0053 



Cross Reference to Related Applications 

This application claims priority to United States Provisional 
Application Serial No. 60/122,481, filed on March 1, 1999, and United States 
Provisional Application Serial No. 60/129,476, filed on April 15, 1999, the 
contents of which are incorporated by reference herein. 

This application is related to Provisional Patent Application 
entitled "Telephony on a Broadband Network," Serial No. 60/071,346, filed on 
January 14, 1998; Provisional Patent Application entitled "Telephony Over 
Broadband Access Networks," Serial No. 60/073,251, filed January 30, 1998; 
Provisional Patent Application entitled "Distributed Open Signaling 
Architecture," Serial No. 60/095,288, filed August 4, 1998; and Provisional Patent 
Application entitled "Distributed Open Signaling Architecture," Serial No. 
60/104,878, filed October 20, 1998, the contents of which are incorporated herein 
by reference. 



Docket No. 1999-0053 



METHOD AND APPARATUS FOR ENHANCED SECURITY 
IN A BROADBAND TELEPHONY NETWORK 

Field of the Invention 

5 The present invention relates generally to communication 

networks, and more particularly to enhanced security in a broadband telephony 
network. 

Background of the Invention 

10 Broadband communication networks provide a viable alternative to 

present local exchange carrier (LEC) loops in providing both voice and data 
transmission services. A variety of broadband network architectures have 
emerged as supporting Internet and telephony access: including cable distribution 
networks, ISDN (Integrated Services Digital Network), broadband ISDN, DSL 

1 5 ("Digital Subscriber Line"), ADSL, etc. 

A major concern for such broadband communication networks is 
the need for adequate security measures. The system architecture must ensure 
user privacy across the network medium and prevent unauthorized access to 
services. For example, in the case of cable modems based on the Data Over Cable 

20 Service Interface Specification ("DOCSIS", a term referring to the ITU-T J. 1 1 2 
Annex B standard for cable modem systems), security is provided by the DOCSIS 
Baseline Privacy Interface ("BPI") which addresses some of the vulnerability 
presented by the shared cable network. BPI provides security mechanisms, 
including encryption using the Cipher Block Chaining (CBC) mode of the Data 

25 Encryption System (DES) and key exchange based on RSA encryption, that 
defend against an eavesdropping threat in the cable network. The successor to 
BPI, DOCSIS 1.1 Baseline Privacy Interface Plus ("BPI+") adds authentication 
based on digital certificates that binds media access control addresses for cable 
modems to RSA public keys. DOCSIS cable modems must be pre-certified with 

30 cryptographic keys and/or certificates installed in the hardware at manufacturing 
time. DOCSIS cable modems undergo a registration process and a baseline 
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privacy key exchange procedure that is used to establish a secure channel with the 
cable modem termination system ("CMTS") at the head end. The CMTS verifies 
a cable modem's public key by verifying the authenticity of the certificate. Use of 
encryption such as provided by BPI+ is essential for a shared medium access 
network such as cable. 

On the first hop, security measures such as DOCSIS baseline 
privacy are likely to be adequate. However, the actual path traversed by packets 
is often complex, and BPI does not provide any data privacy beyond the cable 
access network. The susceptibility of the public data networks such as the 
Internet to routing attacks - attacks where the enemy injects false route 
advertisements possibly to divert traffic to pass an eavesdropping station - is a 
concern. Quite simply, the science necessary to prevent such attacks does not 
exist, and it is expected to be a fair number of years before the Internet is 
adequately protected. In a single, well-managed IP backbone network, it may be 
possible to take adequate precautions against eavesdropping through good design 
and rigorous security procedures, though there is still a risk as the equipment and 
network configuration changes. When traffic traverses more than one backbone 
(or gets routed over other regional networks of unknown security), however, the 
potential for attack is greater. In the case of telephony service where ultimate 
delivery of packets could be via the Internet Protocol to a network not under the 
control of the service provider, privacy cannot be guaranteed over such paths. 

Accordingly, a broadband telephony architecture with enhanced 
security features is needed, with the overall goals of protecting the privacy of 
signaling and media traffic and of preventing theft of service. 

Summary of the Invention 

It is an object of the present invention to prevent theft of service. It 
should not be possible to steal another user's identification information by 
electronic means or to sell unlimited service by compromising customer premises 
equipment or injecting messages into the system. Protections should be 
maintained to limit service to authorized usage subject to proper accounting. 
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It is another object of the present invention to protect the privacy 

and integrity of signaling and media traffic. It should not be possible to inject 
65 signaling traffic into the network that appears to be from another source. It should 

also not be possible for unauthorized people to eavesdrop on traffic of other users. 

This includes traffic analysis by which, for example, an attacker can determine 

who is talking to whom. 

It is another object of the present invention to protect the integrity 
70 of the called number. It should not be possible to force a called number to another 

number. This is necessary to prevent a range of attacks on the service, including 

one in which an attacker tries to steal business from a competitor by causing calls 

to be misrouted. 

It is another object of the present invention to abide by government 

75 wiretap laws, e.g. the Communications Assistance for Law Enforcement Act of 
1994 ("CALEA"). This may include supplying signaling information and media 
streams to the authorities. If encryption keys are mediated by the service 
provider, they must also be supplied to the authorities. 

It is another object of the present invention to discourage denial of 

80 service attacks. It should not be easier than it is in the existing PSTN for one user 
or set of users to prevent other legitimate users from obtaining service. 

It is another object of the present invention to provide the correct 
functionality of conventional telephony features. Subscriber features must 
function correctly. For example, caller ID information must be included in all 

85 calls due to trace requirements. Only users that subscribe to the service should 
have access to the information. Users should not be able to forge such 
information in the case of a trace. 

It is another object of the present invention to provide an 
administrative level. There should advantageously be at least two levels of 

90 privilege to the system. This is so that decisions such as invoking emergency 

procedures or downloading new code to customer equipment cannot be performed 
by all users. For example, in an emergency, administrators must have the ability 
to preempt a call, while non-administrators should not have this ability. 
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Thus, in accordance with the present invention, an architecture for 
95 using a broadband telephony interface ("BTI") is provided with enhanced security 
features. The BTI registers itself with the network in a secure fashion, so that it 
can be authenticated and known to the network from then on. A security 
association is created by having the BTI generate a cryptographic key (symmetric 
or otherwise) and send it to the network under the public key of the network 

100 service provider. The two ends can then use this key to establish a secure 

connection, and the BTI can send authorization information such as a credit card 
number over the secure connection. The cryptographic key can then be used to 
derive subsidiary keys that are used for subsequent communications. By having 
the BTI generate its own cryptographic key, instead of having a certificate 

105 installed at manufacturing time, this allows for the possibility of a BTI 

implemented as software. The BTI advantageously need not be a trusted or 
certified box; indeed, a software package executed on a personal computer can 
fulfill the same functions. This is in contrast to the cable modem, for example, 
which must be certified to ensure correct behavior and fair access to the medium. 

1 10 These and other advantages of the invention will be apparent to 

those of ordinary skill in the art by reference to the following detailed description 
and the accompanying drawings. 

Brief Description of the Drawings 

1 15 Fig. 1 is a diagram of a broadband communication network which 

can be utilized with an embodiment of the present invention. 

Fig. 2 is a block diagram of the components of a hardware 

broadband telephony interface configured for use with a preferred embodiment of 

the present invention. 
120 Fig. 3 is an abstract diagram of a communication provisioning 

protocol in accordance with a preferred embodiment of the present invention. 
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Detailed Description 

With reference to Fig. 1 , a diagram of a broadband communication 

125 network is shown which can be utilized with an embodiment of the present 

invention. A packet-switched IP backbone 100 is shown connected to access 
networks 150 and 151, here shown as cable distribution networks, and to a more 
conventional telephony network 135, here shown as the public switched telephone 
network ("PSTN"). A broadband telephony interface ("BTI") 170 is shown which 

130 provide a gateway between one or more telephones 190 and the packet-switched 
network. The BTI 170 may be physically integrated with a cable modem ("CM") 
160, as shown in Fig. 1, to provide the necessary functions to interface between 
one or more phone lines and the depicted cable access network 150. The cable 
modem 160 can also be used by other communication devices 180 (in Fig. 1 

135 shown for example as a personal computer) to connect to the access networks 1 50. 
The access network 150 terminates on a cable modem termination system 
("CMTS") 155 at a head end. The CMTS 155 interfaces to an Internet Protocol 
("IP") edge router ("ER") 120 that connects to a managed IP backbone 100, which 
provides the connectivity to other BTIs (e.g. 171 with corresponding edge router 

140 121, CMTS 156, access network 151, cable modem 161, communication device 
181, and telephone 191) and to gateways 130 to the PSTN 135. A "gate 
controller" 110 provides authentication, authorization, and call routing functions 
for calls originated by BTIs. The authentication information used by the gate 
controller is made available to it by a provisioning process that is described in 

145 further detail below. The backbone provides connectivity to a provisioning server 
140, which is involved in provisioning the BTI and other network elements. 

The particular architecture set forth in Fig. 1 is for illustration 
purposes only and is further described in the following commonly assigned patent 
applications: Provisional Patent Application entitled "Telephony on a Broadband 

150 Network," Serial No. 60/071,346, filed on January 14, 1998; Provisional Patent 
Application entitled "Telephony Over Broadband Access Networks," Serial No. 
60/073,251, filed January 30, 1998; Provisional Patent Application entitled 
"Distributed Open Signaling Architecture," Serial No. 60/095,288, filed August 4, 

5 
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1998; and Provisional Patent Application entitled "Distributed Open Signaling 

155 Architecture," Serial No. 60/104,878, filed October 20, 1998, the entire contents 
of which are incorporated herein by reference. 

Note that although a limited number of network entities are shown 
in Fig. 1 for simplicity of presentation, other network entities can obviously be 
included in the network - such as additional interface units, routers, controllers, 

160 and gateways. Although Fig. 1 sets forth a particular broadband telephony 
architecture, one of ordinary skill in the art would recognize that the security 
enhancements of the present invention are readily extendible to other 
architectures. For example, the present invention can be utilized with broadband 
communication networks that do not use cable access networks but rather use 

165 digital subscriber line (DSL), Integrated Services Digital Network (ISDN), or 
some other access architecture. Moreover, the present invention can be utilized 
with other packet-switched architectures or with a hybrid network architecture. 

Fig. 2 sets forth a simplified block diagram of the components of a 
BTI, configured for use with the present invention. The BTI performs signaling 

170 and call control functions and enables telephony service on the communication 
network by digitizing, compressing, and packetizing analog signals from a 
telephone 190 into data packets for transport over the communication network. 
The functions of a BTI can be implemented in many different ways that would be 
apparent to one of ordinary skill in the art, including as software executed on a 

175 typical computer. Fig. 2 illustrates a hardware embodiment of a BTI 1 70 that can 
be a stand-alone device, can be integrated with a telephone 190 to create a stand- 
alone telephony device or can be integrated with an access device (e.g. the cable 
modem 160 in Fig. 1 or a set top box) to form a general network interface unit. 
The BTI in Fig. 2 comprises a processor 210 and hardware (here shown as a 

180 subscriber line interface circuit 250, codec 260, and echo canceler 265) capable of 
detecting changes in state information (e.g. hook state detection), collecting dialed 
digits (e.g. dual tone multifrequency (DTMF) signals), and participating in the 
implementation of telephone features. The processor 210 has access to memory 
220 which stores data such as cryptographic keys 222 and the operating system 
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185 221 and program instructions necessary for the operation of the BTI. For security 
purposes, it is advantageous for the BTI also to have read only memory 230 which 
stores code downloading code ("CDC") 232 and the service provider's public key 
23 1, as further discussed below. It is also advantageous for some of the data and 
code in memory 220 to be stored in some form of non- volatile memory so that 

190 such information is not erased if power to the BTI is turned off. 

The BTI 170 advantageously should be able to performing 
probabilistic computation, whether by hardware (e.g. a noisy diode), software 
(e.g. a pseudo-random generator with a good seed), or some combination. This is 
necessary for the BTI to be able to generate cryptographic keys and to perform 

195 related cryptographic functions such as ElGamal signatures. Without a hardware 
source of randomness, it will likely be necessary for the BTI 170 to maintain 
about 200 bytes of state for the lifetime of the device, which will need to change 
often. One possible embodiment would be to keep the state data in RAM memory 
which gets copied to nonvolatile flash memory when there is a chance of a loss of 

200 power. 

As further elaborated on below, the BTI 170 need not necessarily 
be under the direct control of the service provider, e.g. the entity operating the 
communication network. The BTI, operated in accordance with the present 
invention, can be implemented as customer premises equipment that is untrusted 
205 and operates based on locally-stored software. The customer, in other words, can 
purchase the BTI at a local store or can have the device shipped to her home. 
Where the BTI is implemented as software, it can be simply downloaded and 
installed on a computer pre-configured for access to the communication network. 

210 Provisioning 

In accordance with a preferred embodiment of the present 
invention, Fig. 3 illustrates security protocols to be utilized in the provisioning of 
a user who wishes to utilize the network. The following notation and 
abbreviations are used in the discussion: 

215 
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NOTATION 


DEFINITION 


SP 


A service provider, such as AT&T. 


PS 


A provisioning server operated by the service provider and 
reachable over the access network and the backbone. 


BTI 


The customer premises equipment, namely the broadband 
telephony interface. The cable modem is not distinguished 
from the BTI for purposes of the following discussion. 


GC 


The gate controller. Every BTI communicates with an 
assigned gate controller on the back end. 


U 


Refers to the human user. 




This notation means that the message X is signed with the 
private portion of public key, k. It is assumed that the public 
portion, k+, is used to verify the signature. 




This indicates that X is encrypted under the key, k. 




This represents the private key of principal, P. So, for 
example, Ksp. is the private key of the service provider. 


K P+ 


This represents the public key of principal, P. 




This represents a public key certificate binding ID to the key k 
by the authority holding the private key, K P _. We use this 
notation because certificates can hold a lot of other 
information. 


A -> B : message 


This notation means that A sends message to B. 


IKE 


Internet Key Exchange. This is the Standard protocol for key 
management defined by the IETF. 



In the case of a cable access network 150, it is assumed that the 
cable modem 160 has undergone DOCSIS registration and the baseline privacy 
key exchange prior to the provisioning process described below. The cable 
220 modem 1 60 thus has a secure channel with the CMTS 155 at the head end. It is 
assumed that the network infrastructure beyond the head end is a managed 
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backbone for which reasonable security precautions have been taken, e.g. to 
secure servers. The provisioning server 140 itself, since it manages keys, must be 
very well secured. Nevertheless, it is assumed that the BTI 170 cannot trust 

225 signals on the cable. That is, the threat model includes the possibility that a 
hostile intruder can masquerade as the cable head-end and fool the BTI into 
believing it is communicating with a legitimate service provider. 

In accordance with an embodiment of the present invention, 
cryptographic means are advantageously utilized to authenticate the service 

230 provider. The objective of the provisioning process is for the service provider to 
securely establish an association between a customer account and a cryptographic 
key, where the key is available only to the BTI (and the provisioning server). The 
key can be used to authenticate key exchanges later. In practice, where the key is 
a symmetric key, this means that the two sides share a string of random bits that 

235 can be used as encryption and keys for message authentication codes (MAC). It is 
common to use different keys to encrypt and MAC in each direction , so if a 128- 
bit cipher is used, the provisioning scenario will result in at least 512 bits of 
shared random bits. Note that the cryptographic key can be a public key rather 
than a symmetric key, where the corresponding private key is stored in the BTI. 

240 The service provider, SP, is assumed to have a public/private key 

pair. The private key is stored in a safe place and there are strict procedures for 
accessing this key. The public key, K SP+ , is stored in the memory of the BTI or 
built into the BTI, for example by burning the key into read only memory. If this 
public key turns out to be source of attack (e.g. attackers successfully substitute a 

245 rogue key into BTIs in a particular area and manage to spook the provisioning 
server), then the key can be further protected by storing it in tamper-resistant 
storage. It is advantageous that there be a public key infrastructure whereby the 
service provider issues public key certificates for the provisioning servers, e.g. PS. 
There can be several layers of hierarchy in practice. It is assumed that the private 

250 key for the provisioning server is stored somewhere inside the network, and that 
when the BTI sends a message to the provisioning server, it is communicating 
with a secure location inside the network. 
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The user obtains and installs the BTI, whether by merely plugging 
the device in or by installing software on a computer. The user picks up the phone 
255 and dials a provisioning number (e.g. 61 1) to enable registration. In accordance 
with a preferred embodiment of the present invention, the following messages, as 
illustrated in Fig. 3, then take place. It should be noted that, in addition to or in 
lieu of the signatures indicated in Fig. 3, the values of the messages can be 
digitally signed or hashed, using a message authentication code (MAC) with each 
260 message. Different keys can be utilized in each direction with the protocol. Such 
details are not included for simplicity of exposition and would be known to one of 
ordinary skill in the art. 

At step 301, the BTI 170 receives the provisioning number: 

265 U->BTI:611 

The BTI issues a SETUP message to the gate controller 1 10, which routes the call 
to a provisioning server 140 and returns a SETUP_ACK message containing the 
IP address of the provisioning server. The authentication information in the 
270 SETUP message from the BTI can be null. 

At step 302, the BTI 170 announces its existence to the 
provisioning server 140 

BTI ^ PS : yo! 

275 

and requests the certificate and public key from the provisioning server 140. At 
step 303, the provisioning server 140 provides its public key and certificate: 

PS -> BTI : K ps+ ,CERT(PS,K ps+ ) Sksp 

280 

Certificates are convenient here because they allow the BTI to store a public key, 
here the service provider's public key, and have confidence in another public key 
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(here, the provisioning server's public key) if it carries a certificate signed by the 
private key corresponding to the service provider's public key stored in the BTI. 
285 At step 304, the BTI 1 70 generates random symmetric keys, SK, 

AK, and K and transmits the following message to the provisioning server 170: 

BTI PS : {SK, AK,N 0 }k, {info} SK ,{K} Kpst 

290 K is used to encrypt the message that is sent with a symmetric cipher. K itself is 
encrypted with the public key of PS to make sure nobody else can read it. SK is a 
session key that will be used for future communication with the provisioning 
server 170 for the remainder of the provisioning. AK is a symmetric key that is 
used to secure the audio channel. In practice, AK may actually be a master key 

295 used to generate the actual keys used for encryption and to generate message 

authentication codes (MAC). N 0 is a random nonce (a one-time identifier) used to 
prevent replay attacks (it is possible to avoid using nonces by including a hash of 
the received (challenged) message in every response). The reply from PS will 
contain N 0 as well to link the two messages together, info contains the 

300 information in the message, such as the network address (Media Access Control 
address, IP address, etc.) of the broadband telephony interface 170. 

At step 305, the provisioning server 140 acknowledges the 
registration request and proves knowledge of the session key: 

305 PS BTI : {ACK, N 0 , N x } SK 

At this point, the session key is "good" and the network associates it with the 
particular IP endpoint. 

At step 306, the BTI 170 sets up a voice connection with the 
310 provisioning server 140 and uses the audio channel key, AK, to secure the voice 
path. In practice, the audio stream should be encrypted and protected using 
message authentication codes. For simplicity, the secure messages, M, on the 
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340 



audio channel are represented as {M} AK . A this point, the BTI 170 completes the 
setup of the voice connection to the provisioning server 140. 

At step 307, the provisioning server 140 prompts the user for her 
authentication information: 

PS -» U : {"enter auth info"}^ 

The authentication information can be implemented in many different ways. For 
example, the authentication information can be a work order number that has been 
given to a customer (or to an installer) after the customer has subscribed for the 
service. The work order must be supplied when the BTI is provisioned to identify 
the customer account. As another example, the authentication information can be 
a credit card number, address, etc. that is provided by the user who subscribes for 
the service during the provisioning call itself. The audio stream is secured using 
AK from the PS 140 to the BTI 170, which converts it to an analog voice for the 
user. 

At step 308, the user speaks or dials her authentication information 
in response to the prompt: 

U BTI : auth info 

At step 309, the BTI 140 sends the authentication information over the secure 
audio channel to the provisioning server 140: 

BTI PS : {auth infoW 

At step 310, the BTI 140 generates a public/private key pair for the 
user and sends the public key, K u+ , to the provisioning server 140. 

BTI PS : {N } , N 2 , K u+ } SK 
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The provisioning server 140 associates the authentication information sent over 
345 the secure audio channel with the public key, K u+ , sent over the secure control 
channel. The PS 140 can do this because (a) it is aware that both came from the 
same network address and (b) it successfully authenticates and decrypts both the 
audio and control channel information using the keys, AK and SK, which the PS 
knows are associated with the same broadband telephony interface 170. The PS 
350 140 stores the BTI's public key for later usage and acknowledges receipt: 

PS ^ BTI: {ACK,N 2 } SK 

At this point, the user is provisioned. The BTI 170 and the provisioning server 
355 140 share a long-term symmetric key that the provisioning server can associate 
with the subscriber account. In practice, the BTI and PS may share up to 5 12 
random bits to comprise four 128-bit encryption and MACing keys, as described 
above. In future sessions, the BTI 170 can generate a session key, sign it, and 
send it under the public key of the provisioning server 140 or the long-term key it 
360 shares with the server in a similar manner. No interaction from the user is 
necessary to establish these future session keys. 

The foregoing Detailed Description is to be understood as being in 
every respect illustrative and exemplary, but not restrictive, and the scope of the 

365 invention disclosed herein is not to be determined from the Detailed Description, 
but rather from the claims as interpreted according to the full breadth permitted by 
the patent laws. It is to be understood that the embodiments shown and described 
herein are only illustrative of the principles of the present invention and that 
various modifications may be implemented by those skilled in the art without 

370 departing from the scope and spirit of the invention. 
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What is claimed is: 

1 A method of provisioning a user's broadband telephony 

2 interface comprising the steps of: 

3 receiving information authenticating a provisioning server; 

4 establishing a communication channel between the user and the 

5 provisioning server over which is transmitted authorization information from the 

6 user to the provisioning server; and 

7 encrypting and transmitting a cryptographic key associated with 

8 the user to the provisioning server. 

1 2. The method of claim 1 wherein the communication channel is a 

2 voice channel connection. 

1 3 . The method of claim 2 wherein the communication channel is 

2 encrypted using an audio channel key which is encrypted and transmitted to the 

3 provisioning server prior to establishing the communication channel. 

1 4. The method of claim 3 wherein the cryptographic key 

2 associated with the user is encrypted using a session key which is encrypted and 

3 transmitted to the provisioning server prior to establishing the communication 

4 channel. 

1 5 . The method of claim 4 wherein the session key and the audio 

2 channel key are encrypted using a cryptographic key that is encrypted using a 

3 cryptographic key associated with the provisioning server and transmitted to the 

4 provisioning server with the encrypted session and audio channel key. 

1 6. The method of claim 5 wherein the cryptographic key 

2 associated with the provisioning server is received with the information 

3 authenticating the provisioning server. 

1 7. The method of claim 6 wherein a random nonce is included 

2 with the encrypted session key. 

14 



Docket No. 1999-0053 



1 8. The method of claim 1 wherein the information authenticating 

2 the provisioning server is a digital certificate. 

1 9. The method of claim 1 wherein the cryptographic key 

2 associated with the user is a symmetric key. 

1 10. The method of claim 1 wherein the cryptographic key 

2 associated with the user is a public key corresponding to a private key stored in 

3 the broadband telephony interface. 

1 11. The method of claim 1 wherein a hash is included with each 

2 transmission. 

1 Yl. A broadband telephony interface comprising: 

2 / a first interface to a user telephone; 

3 a second interface to a communication network with access to a 

4 provisioning server; 

5 memory for storing cryptographic keys; 

6 a processor connected to the memory and the first and second 

7 interfaces for executing program instructions, the program instructions causing the 

8 processor to perform the steps of: 

9 receiving information authenticating the provisioning 

10 server; 

1 1 establishing a communication channel between the user 

12 telephone and the provisioning server over which is transmitted 

13 authorization information from the user to the provisioning server; and 

14 encrypting and transmitting a cryptographic key associated 

15 with the user to the provisioning server. 

1 13. The broadband telephony interface of claim 1 2 wherein the 

2 communication channel is a voice channel connection. 
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1 14. The broadband telephony interface of claim 13 wherein the 

2 communication channel is encrypted using an audio channel key which is 

3 encrypted and transmitted to the provisioning server prior to establishing the 

4 communication channel. 

1 15. The broadband telephony interface of claim 1 4 wherein the 

2 cryptographic key associated with the user is encrypted using a session key which 

3 is encrypted and transmitted to the provisioning server prior to establishing the 

4 communication channel. 

1 16. The broadband telephony interface of claim 15 wherein the 

2 session key and the audio channel key are encrypted using a cryptographic key 

3 that is encrypted using a cryptographic key associated with the provisioning server 

4 and transmitted to the provisioning server with the encrypted session and audio 

5 channel key. 

1 17. The broadband telephony interface of claim 1 6 wherein the 

2 cryptographic key associated with the provisioning server is received with the 

3 information authenticating the provisioning server. 

1 18. The broadband telephony interface of claim 1 7 wherein a 

2 random nonce is included with the encrypted session key. 

1 19. The broadband telephony interface of claim 12 wherein the 

2 information authenticating the provisioning server is a digital certificate. 

1 20. The broadband telephony interface of claim 12 wherein the 

2 cryptographic key associated with the user is a symmetric key. 

1 21 . The broadband telephony interface of claim 12 wherein the 

2 cryptographic key associated with the user is a public key corresponding to a 

3 private key stored in the broadband telephony interface. 



16 



Docket No. 1999-0053 



1 22. The broadband telephony interface of claim 12 wherein a hash 

2 is included with each transmission. 

1 23/A method of operating a provisioning server comprising the 

2 steps of: / 

3 receiving a request to be provisioned from a broadband telephony 

4 interface; 

5 transmitting authentication information to the broadband telephony 

6 interface; 

7 receiving authorization information over a communication channel 

8 established between a user of the broadband telephony interface and the 

9 provisioning server; and 

10 receiving an encrypted cryptographic key associated with the user 

1 1 from the broadband telephony interface. 

1 24. The method of claim 23 wherein the communication channel is 

2 a voice channel connection. 

1 25. The method of claim 24 wherein the communication channel is 

2 encrypted using an audio channel key which is received from the broadband 

3 telephony interface prior to establishing the communication channel. 

1 26. The method of claim 25 wherein the cryptographic key 

2 associated with the user is encrypted using a session key which is received from 

3 the broadband telephony interface prior to establishing the communication 

4 channel. 

1 27. The method of claim 26 wherein a cryptographic key 

2 associated with the provisioning server is transmitted to the broadband telephony 

3 interface and the session key and the audio channel key are received encrypted 

4 using the cryptographic key associated with the provisioning server. 
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1 28. The method of claim 27 wherein the cryptographic key 

2 associated with the provisioning server is transmitted with the authentication 

3 information to the broadband telephony interface. 

1 29. The method of claim 28 wherein a random nonce is included 

2 with encrypted session key and audio channel key. 

1 30. The method of claim 23 wherein the authentication information 

2 is a digital certificate. 

1 31. The method of claim 23 wherein the cryptographic key 

2 associated with the user is a symmetric key. 

1 32. The method of claim 23 wherein the cryptographic key 

2 associated with the user is a public key corresponding to a private key stored in 

3 the broadband telephony interface. 

1 33 . The method of claim 23 wherein a hash is included with each 

2 transmission. 
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ABSTRACT 

The broadband telephony interface is provisioned by receiving 
information authenticating a provisioning server, establishing a communication 
channel between the user and the provisioning server over which is transmitted 

5 authorization information from the user to the provisioning server, and encrypting 
and transmitting a cryptographic key associated with the user to the provisioning 
server. The cryptographic key can be a symmetric key or a public key 
corresponding to a private key stored in the broadband telephony interface. The 
cryptographic key can be utilized to generate other keys which are utilized to 

10 secure communication channels for the telephony service. The broadband 

telephony interface advantageously can be implemented as untrusted hardware or 
software that is installed by a customer. 
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